WannaCry Ransomware

15th May 2017

WannaCrypt, or also known as WannaCry, is a new ransomware that wreaked havoc across the world, which spreads like a worm by leveraging a Windows SMB vulnerability (MS17-010) that has been previously fixed by Microsoft in March. This ransomware hit computer systems of hundreds of private companies and public organizations across the world which is believed to have the highest infection rate of all time. The Ransomware in question has been identified as a variant of ransomware known as WannaCry (also known as ‘Wana Decrypt0r,’ ‘WannaCryptor’ or ‘WCRY’). Like other dangerous ransomware variants, WannaCry also blocks access to a computer or its files and demands money to unlock it. Once infected with the WannaCry ransomware, victims are asked to pay up to $300 to remove the infection from their PCs; otherwise, their PCs render unusable, and their files remain locked. WannaCry attackers use a Windows exploit detected and tested by the NSA called EternalBlue, which was stolen and released by the Shadow Brokers hacking group over a month ago.The attack has been halted by a security researcher(@MalwareTechBlog) who bought the domain the ransomware uses to retrieve the payload to launch this attack, stopping the spread, this is not a permanent solution but has bought time for most organizations that were being infected.

1. System(s) Affected
All Microsoft Windows Operating Systems

2. Impact
Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including
• Temporary or permanent loss of sensitive or proprietary information,
• Disruption to regular operations,
• Financial losses incurred to restore systems and files, and
• Potential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.
End Users should not open emails, links or executable files that cannot be trusted.
Most ransomware are embedded in documents distributed as email attachments.

3. Workarounds
Disable SMBv1

For client operating systems:
Open Control Panel, click Programs, and then click Turn Windows features on or off.
In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
Restart the system.

For server operating systems:
Open Server Manager and then click the Manage menu and select Remove Roles and Features.
In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
Restart the system.

4. Solutions
CERT-GH recommends users and system admins:
1. Take all windows OS systems off the internet and off the network.
2. Create a backup of all files needed.
3. Store backup in an airgapped location.
4. Download windows update(KB4019472) in a sandbox environment.
For Updates go to “http://www.catalog.update.microsoft.com/Home.aspx”, enter the KB Number and download the updates manually
5. Install the update without connecting to a network/internet.
6. After the update, the system can be connected to the internet.

Microsoft has released an update for unsupported Windows Versions.Click here to download updates for End Of Life Windows Versions.